New GDPR challenges in Hungarian employment

Endre Várady

The Hungarian GDPR implementation package – amending 86 sectoral laws – has brought important changes in the workplace environment. Many of the new rules may present hardships for employers, as changes will be forced upon deeply rooted traditions. The stakes are high as the employee has got a powerful tool in his hand, both in front of the data protection authority and the labour court. Companies therefore are highly advised to check their data processing practices in the employment context.

VJT & Partners has collected the key legislative changes in the employment context.

No copies

From now on, during the onboarding process employers may only ask the employee to show his/her documents (e.g. ID, driving licence, address card, tax card and qualification documents) and the employee may not make copies of these neither electronically nor in paper form. This is hard to put into practice, when the labour authority examines the lawfulness of onboarding process, but the employee cannot show the necessary onboarding documents to the labour authority (i.e. he/she lost them). Thus, a solution must be worked out which properly answers both privacy and labour inspection challenges.

No criminal background checks

The employer may ask from the employee to show his/her criminal convictions information, only under very limited circumstances, such as when the employer has a relevant financial interest to protect (such as works concerning money management, surveillance or key IT system administration). The financial interest must be backed up with the ”legitimate interest test” (showing that the employer’s interest to see the employee’s criminal conviction record is greater than the employee’s personality rights).

Stricter conditions for employee monitoring

Even before the GDPR implementation package, it was clear that the employer may monitor the employee’s work (such as monitoring of e-mail, laptop or internet use) only if the employer provides a prior notice about this action. However, the GDPR implementation package made it clear that such notice must be made in writing and it must cover why the employer’s measures are necessary and proportionate in comparison to the limitation of the employee’s personality rights.

Biometric entry methods became forbidden

From a practical point of view, as a result of the GDPR implementation package, it became forbidden to use biometric (such as, fingerprint authentication) entry systems. Some exceptions apply, but only in a very few limited cases: for example the employer may use such entry methods if the operation of such system is to protect the employees’ physical integrity and health.

CCTV rules do not stay the same either

From now on, the employer may decide on its own about the length of time CCTV records may be held, but in accordance with the storage limitation principle. Furthermore, the employer may only make CCTV records of the private area of the company, and in public areas used as private areas (such as around the entrance of the company) the employer no longer may record picture.


In a nutshell, rules on data processing in the employment context, have become significantly stricter and the expectations have also risen. Companies are advised to reconsider their current practices, policies and other documentations in this area. Endre Várady, head of VJT & Partners’ data protection team is here to assist in creating lawful and tailor-made processes.